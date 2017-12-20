Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com) 43
An anonymous reader quotes a report from Bleeping Computer: The increased adoption of HTTPS among website operators will soon lead to browsers marking HTTP pages as "Not Secure" by default, and Mozilla is taking the first steps. The current Firefox Nightly Edition (version 59) includes a secret configuration option that when activated will show a visible visual indicator that the current page is not secure. In its current form, this visual indicator is a red line striking through a classic lock that's normally used to signal the presence of encrypted HTTPS pages. According to Let's Encrypt, 67% of web pages loaded by Firefox in November 2017 used HTTPS, compared to only 45% at the end of last year.
Not everything need story be encrypted (Score:3, Insightful)
Let's say I'm downloading a file that's several GB, like a disk image. When I download it, I'll verify the signature. If it's valid, the file is usable. Encrypting the entire download is a waste of resources for both the server and client. Not everything needs to be encrypted, so this is a little silly. Plus, hosting providers often charge extra fees for https, at least based on my experience.
If the signature itself is tampered with (Score:3)
Let's say I'm downloading a file that's several GB, like a disk image. When I download it, I'll verify the signature.
How can you be sure that the SHA-256 value against which you are verifying the disk image hasn't itself been tampered with on its way to your device?
Encrypting the entire download is a waste of resources for both the server and client.
No it isn't. If you fail to encrypt, your ISP, your ISP's ISP, and any snooping government can tell conclusively what you have downloaded. If you do encrypt, the eavesdropper can see only what domain you're accessing and the sizes of what you download. You can obfuscate even the sizes by using range requests to pull the 4 GB disk image a 4 MB chunk at a time.
Plus, hosting providers often charge extra fees for https
How to use a private CA with BYOD? (Score:2)
How is "make and install your own certificates" practical when users bring their own devices, such as public library patrons bringing their laptops or phones to a branch or friends or relatives bringing their laptops or phones to someone's home?
Even if the main download is done using HTTP, the SHA-256 value can be requested over HTTPS.
But the operator of the site hosting the SHA-256 values will still need to obtain a certificate. Is it more a matter of setting up Certbot to provision one certificate for the hash site rather than a separate certificate for each mirror site?
Technically correct, in some situations (Score:2)
Let's say I'm downloading a file that's several GB, like a disk image. When I download it, I'll verify the signature. If it's valid, the file is usable. Encrypting the entire download is a waste of resources for both the server and client.
As long as the signature file was delivered over HTTPS and you didn't have any evil root certificate authorities installed on your client, you would be fine. If the insecure download was tampered with, signature verification would fail, as you say.
Encrypting downloads is not that big of a deal resource-wise these days, though. Why not let HTTPS handle MITM detection for you?
;) Most users won't check a sig file anyway.
Stupid (Score:1)
This is completely retarded. Not every site needs https.
The percentage covers only the subset of users who have opted into Firefox telemetry [mozilla.org]. If you want to make your votes not count, that choice is yours. Just don't whine when Mozilla cuts your pet feature for lack of usage share justifying the maintenance cost.
But it's apparently very important to educate users to ignore yet another legitimate warning indication.
But it's apparently very important to educate users to ignore yet another legitimate warning indication.
What's worse is the implication that if it isn't telling you that it is not secure, it must be secure, because it's using https.
Servers on your LAN are probably Not Secure (Score:4, Informative)
HTTPS requires a certificate, and a certificate that requires a fully qualified domain name. The CA/Browser Forum's Baseline Requirements forbid issuing certificates in RFC 1918 private networks (such as 10/8 and 192.168/16) or the mDNS reserved domain (.local). This means everything on the average user's local area network will end up marked "Not Secure", such as the administration interface of the user's router, printer, or network attached storage (NAS) device.
The document "Deprecating Non-Secure HTTP" [mozilla.org] states that Mozilla is aware of this problem but fails to offer a solution:
What's even worse, is that many of these devices use HTTPS with an unverifiable certificate (either self-signed, missing an FQDN due to being local, etc). This is extremely annoying (and likely confusing to many) when trying to access such devices, to the point where they probably seem outright broken to an "average" user.
I wish one of these organizations would come up with some solution to that problem, which everyone can adopt.
For my own purposes, I set myself up an "internal CA" and loaded its certs on a
> I set myself up an "internal CA" and loaded its certs on all my browsers/devices.
This is the usual solution for big companies and capable users.
However the flaw is in the certificate specs. Certificates and crypto library auth policies do not have the semantics defined to declare "This cert is for this specific local domain and address space with this unique identifier" so it can be distinguished from all other such places with an identical domain and address space. It's a solvable problem. The browser
The LAN FQDN problem in a previous AMA (Score:2)
I mentioned the same planned obsolescence concern in my question to Jacob at Let's Encrypt [reddit.com] in an AMA on reddit a year ago.
Q. What about my home router? Or my printer?
The challenge here is not that these machines canâ(TM)t do HTTPS, itâ(TM)s that theyâ(TM)re not provisioned with a certificate. A lot of times, this is because the device doesnâ(TM)t have a globally unique name, so it canâ(TM)t be issued a certificate in the same way that a web site can. There is a legitimate need for better technology in this space, and weâ(TM)re talking to some device vendors about how to improve the situation.
It should also be noted, though, that the gradual nature of our plan means that we have some time to work on this. As noted above, everything that works today will continue to work for a while, so we have some time to solve this problem
The solution is logging into the device using TLS-SRP but this doesn't enrich the CAs so no chance in hell.
Mr Policeman (Score:1)
Great. How your site won't be browsable at all by default in Firefox until you pony up cash to a certification company.
I guess we know who paid for all those Quantum puff pieces now.
Let's Encrypt is gratis (Score:1)
The only "certification company" to which you'd need to "pony up cash" is the domain registrar, which you need anyway for a public website. Once you have a domain, you can automate provisioning of certificates issued without charge by Let's Encrypt using an ACME client such as Certbot.
I tried running Let's Encrypt's scripts and they crashed.
Does Firefox still matter? (Score:2)
I guess it depends; but when your rival has about 5 times your market share, you do not matter that much...or do you?
How to Disable it (Score:3)
Outstanding. Now how will I disable this problem?
Secure Sockets Layer is great for Corporates (Score:2)
Who has 192.168.123.45 in your coffee shop? (Score:2)
http (IP on private network) = secure
How so? When your laptop or phone is on restaurant or public library Wi-Fi, you don't know who has 192.168.123.45. This is why the definition of a "potentially trustworthy origin" in the W3C candidate recommendation "Secure Contexts" [w3.org] includes localhost but not RFC 1918 private IP addresses.
Security fatigue (Score:2)
Thanks for pouring napalm on the fire.
Visual Indicator (Score:2)
"...when activated will show a visible visual indicator..."
In my 35 years in the computer industry, I have always found that visual indicators that were visible were much more effective than ones that weren't. But then, I'm kind of old-school...